Security

Security practices for API keys, widget identity, forms, webhooks, attachments, and advanced surfaces.

Security

RogerIQ separates trusted server surfaces from browser-safe public surfaces.

API Keys

  • Use riq_ keys only from trusted server code.
  • Scope keys narrowly.
  • Rotate keys after access changes.
  • Do not ship keys in frontend bundles, widgets, forms, or mobile apps.

Widget Secure Mode

Secure mode verifies widget identity with HMAC-SHA256 signatures generated on your server. Use secure mode when previous messages, customer history, account state, or privileged workflows depend on identity.

Forms and Beacons

Public submissions are protected with:

  • origin checks
  • rate limiting
  • honeypot fields
  • FingerprintIQ bot evaluation
  • Turnstile on hosted RogerIQ pages
  • archive checks
  • file validation

Webhooks

Store webhook secrets securely and verify signatures before acting on events. Rotate secrets if they are exposed.

Attachments

Attachments are uploaded to R2 after validation. Treat customer uploads as untrusted content when displaying, scanning, or exporting them.

Advanced Surfaces

Advanced settings include API keys, webhooks, developer apps, compliance, enterprise controls, imports, and migration readiness. Keep access to these surfaces limited to admins and developers who need them.

Previous Permissions
Next Limits
Ask a question... ⌘I